Presentation on theme: "1 Linux IP Masquerading Brian Vargyas XNet Information Systems."— Presentation transcript:
1 Linux IP Masquerading Brian Vargyas XNet Information Systems
2 Agenda What is IP Masquerade How does it work Example Setting Up IP Masquerade References
3 What not to expect Teaching you how to set up Redhat Linux 5.1 How to compile and install a new kernel
4 Why is IP Masquerading HOT? Demand to share a single Internet address across multiple machines. Demand to save Internet IPv4 address space. Demand for better internal network security.
5 Emerging Applications Network Hiding Cable Modem Solutions xDSL Solutions Dial on Demand Internet
6 So what is it? A Developing networking function built in to RedHat Linux 5.1 Allows machines connected to the Linux system to access the Internet as if they were coming from a single IP address. Provides a secure way of hiding internal networks.
7 A Simple Setup Linux Gateway ISP ISDN 220.127.116.11/32 Dynamic IP Address 10.0.0.0/8 Static Class A Network eth0
8 How it works Translation Tables Manage Inside to Outside Address Translation IPFWADM (IP Firewall Administration) IPPORTFW (IP Port Forwarding) Loadable kernel modules for special IP services like FTP, IRC, QUAKE.
9 IP Translation Tables 10.0.0.1 23 10.0.0.2 80 10.0.0.3 25 Net 18.104.22.168 2000 22.214.171.124 2001 126.96.36.199 2002 Inside AddressesOutside Address Address / Source Port PairsAddress / Dest. Port Pairs Maintains IP Address Source/Dest. Port Pairs. Pool of 4096 Ports.
10 IPFWADM (Firewall) Manages Permit/Deny Firewall Access Lists Controls which networks are allowed to IP Masquerade Deny access to all other networks.
11 IPPORTFW (Port Forwarding) Controls mapping of incoming port requests to a inside address. Lets you run mail/web server on another host inside your network. Provides complete flexibility on where to place IP services. Not included in standard Redhat 5 distribution.
12 Loadable Kernel Modules Lets special IP services such as FTP operate correctly. I.E. Back Channel Data (Not Passive). Only loads into memory if needed Some services not supported. PPTP Patches.
14 Example (My Home) 3 Machines needs Internet access 1 DHCP dynamic address provided from Cable Company. Backup ISDN dialup Windows NT web/mail server
Example Config 15 Linux Gateway ISP ISDN 10.0.0.0/8 Static Class A Network eth0 Cable Network eth1 Cable Modem
15 Configure all system interfaces. Make sure you can ping remote machines. Verify connectivity to your ISP is working. Install IPPORTFW Kernel Patches, Rebuilt Kernel, Install and Reboot. (Kernel 2.0.33/2.0.34) Compile IPPORTFW utility and install in /bin. Edit your /etc/rc.d/rc2.d/S99local file and include the necessary IPFWADM and IPPORTFW configuration. Make sure you have a default route (0.0.0.0/0) pointed at your ISP Interface. Setup Procedure
16 Setup Configuration (S99local) # S99local echo "1" > /proc/sys/net/ipv4/ip_forwarding /sbin/ipfwadm -F -p deny /sbin/ipfwadm -F -a m -S 10.0.0.0/24 -D 0.0.0.0/0 /sbin/ipportfw -A -t 188.8.131.52/80 -R 10.0.0.3/80 /sbin/ipportfw -A -t 184.108.40.206/25 -R 10.0.0.3/25 route add default 220.127.116.11